KLA11459
Multiple vulnerabilities in Microsoft Developer Tools
Обновлено: 26/06/2019
Microsoft official advisories
Microsoft Security Update Guide
KB list

4493441
4493474
4493464
4493509
4493470

Дата обнаружения
09/04/2019
Уровень угрозы
Critical
Описание

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface, obtain sensitive information, bypass security restrictions, gain privileges, cause denial of service.

Below is a complete list of vulnerabilities:

  1. A memory corruption vulnerability in Chakra Scripting Engine can be exploited remotely via specially crafted website to execute arbitrary code.
  2. An information disclosure vulnerability in Open Enclave SDK can be exploited remotely to obtain sensitive information.
  3. An elevation of privilege vulnerability in Azure DevOps Server can be exploited remotely via specially crafted request to gain privileges.
  4. A memory corruption vulnerability in Scripting Engine can be exploited remotely via specially crafted website to execute arbitrary code.
  5. A denial of service vulnerability in ASP.NET Core can be exploited remotely via specially crafted requests to cause denial of service.
  6. A spoofing vulnerability in Azure DevOps Server can be exploited remotely via specially crafted payload to spoof user interface.
Пораженные продукты

ChakraCore
Microsoft Edge
Open Enclave SDK
Azure DevOps Server 2019
ASP.NET Core 2.2

Решение

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Первичный источник обнаружения
CVE-2019-0829
CVE-2019-0868
CVE-2019-0806
CVE-2019-0810
CVE-2019-0812
CVE-2019-0876
CVE-2019-0870
CVE-2019-0874
CVE-2019-0869
CVE-2019-0860
CVE-2019-0867
CVE-2019-0875
CVE-2019-0739
CVE-2019-0866
CVE-2019-0815
CVE-2019-0857
CVE-2019-0861
CVE-2019-0871
Оказываемое влияние
?
ACE 
[?]

OSI 
[?]

DoS 
[?]

SB 
[?]

PE 
[?]

SUI 
[?]
Связанные продукты
Microsoft Edge
ChakraCore
Team Foundation Server
Microsoft Azure
CVE-IDS
CVE-2019-08294.2Warning
CVE-2019-08680.0Unknown
CVE-2019-08064.2Warning
CVE-2019-08104.2Warning
CVE-2019-08124.2Warning
CVE-2019-08760.0Unknown
CVE-2019-08700.0Unknown
CVE-2019-08740.0Unknown
CVE-2019-08690.0Unknown
CVE-2019-08604.2Warning
CVE-2019-08670.0Unknown
CVE-2019-08750.0Unknown
CVE-2019-07394.2Warning
CVE-2019-08660.0Unknown
CVE-2019-08150.0Unknown
CVE-2019-08570.0Unknown
CVE-2019-08614.2Warning
CVE-2019-08710.0Unknown